Transcription

2 The IAONA Handbook for Network Security Version 1.3 Published by IAONA e.v. Based on the work of IAONAs Joint Technical Working Group (JTWG) Network Security. Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation. The following parties have contributed to this document: DEHOF computertechnik ABB Data Systems Innominate AG ininet GmbH / VPI Hirschmann AC GmbH TRUMPF Laser GmbH + Co. KG University Magdeburg WAGO Kontakttechnik Matthias Dehof (Chairman JTWG Network Security) Martin Naedele, Dacfey Dzung Detlef Kilian Steffen Bruß, Frank Merkel Peter Brügger Klaus Reister, Ralf Kaptur Rainer Thieringer Marcus Tangermann Christoph Möller All illustrations, charts and layout examples shown in this document are intended solely for purposes of example. IAONA assumes no responsibility or liability (including intellectual property liability) for actual use based upon examples given in this publication. Reproduction of the contents of this copyrighted publication, in whole or in part, without written permission of IAONA is prohibited. IAONA, 2005 IAONA e.v. Universitätsplatz Magdeburg Germany Version 1.3 IAONA Handbook Network Security 2

5 1 Introduction Ethernet based communication systems have entered the factory floor. During the last 5 years different fields of application using different Ethernet based communication protocols and technologies have been established ranging from web based management of devices to motion control applications. This increasing use of Ethernet based services and devices came for many companies through the backdoor: first a simple FTP session for firmware uploads and a telnet session for changing settings, then a web server for advanced and comfortable configuration and diagnostics, and finally the use of real-time Ethernet communication protocols for device communication within control applications. It was a small step from using these devices point-to-point connected to a serviceman's laptop to connecting the devices to a company network. With the broad use of PC based devices, it was possible to connect anything and for quite a time, finally, the network was just what is was made for. But with the increasing use of Ethernet based communication technologies also the problems of this technology have entered the factory network. The possible data exchange using s or direct device access will enable an undue influence on the devices by hackers, with-collar criminals, or even unilluminated employees. When more people were accessing the network - and an increasing number of non-technicians and non-employees were among them - the network was opened to the Internet and was used for web-access and services. Thereby, viruses and worms coming with laptops and s, some of them do no harm but others may cause the loss of a complete production line. Even when these viruses have no direct effect on devices, overloaded network traffic is even worse than a single deleted hard disk. The direct access to control devices using HTTP or SNMP based device management systems will, in principle, enable unauthorized people to acquire control system and production system sensitive data and to change sensitive system settings causing economic disadvantages. As a matter of fact, the IT departments are confronted with a complete new line of problems. Any intrusion, by accident or intention has a bigger effect than in the office world. An automation network needs to be fail-safe. Data within an automation system need to be protected from unauthorized access. The unauthorized change of control relevant data or even the circumvention of a data exchange may result in a production system break down. A down time of a production line of a few minutes can cost some thousands of Euros because it may take some hours to restart the complete line. In contrast to this a short breakdown in the office environment is equally disturbing, but the consequences are different. To cope with the mentioned problems and to ensure the security of industrial communication systems special technologies and strategies have been developed or even from the office world adapted to the factory floor. One important role within this process has been played by the IAONA Joint Technical Working Group (JTWG) Network Security. Within this JTWG the state of the art of network security technologies for industrial application have been collected and aggregated to an advice for best practice. Based on the results of the IAONA JTWG Network Security the Handbook - Network Security has been created. It will be maintained by the members of the JTWG and reflects the current status of technology. The Handbook is not a static book, but subject to change to keep up with threats and developments. The Handbook was designed to establish "know-how" for network security in industrial applications and make this accessible for to users Version 1.3 The IAONA Handbook for Network Security 5

6 give recommendations on how to plan secure networks provide tools for network analysis and escalation schemes create guideline for network security to be provided to IT and factory floor personnel give input to normative committees, such as IEC The user's benefits are support for security risk analysis, support in the selection of appropriate security measures and most important - the avoidance of production down time caused by security leaks. All-in-all, the IAONA Handbook - Network Security will provide interested people with the necessary knowledge about existing security problems, useable security architectures, and all necessary activities to establish these architectures. To follow this aims the handbook is organized as follows. Within the following (the second) chapter necessary basics about network security will be described. This includes a definition of the term Security, the term of IAONA Security Classes, the description of basic protocols, structures, and architectures and its security problems, defense strategies, and security components with its security relevant behavior. The third chapter will describe in detail the security methodology developed by IAONA JTWG Network Security with strategies, structures, devices, protocols, and defense measures. Chapter four can be seen as a cookbook for network security providing best practice scenarios for special application cases. Chapter five introduces the IAONA Security Data Sheet, a mean for collection and distribution of security relevant information of devices, systems, and networks based on the IAONA Security Methodology. Within this chapter the IAONA Security Data Sheet will be described in detail and its application and benefits in practice will be considered. The handbook will conclude with three annexes. The first annex will provide a template of the IAONA Security Data Sheet and the second one will give the XML schema used for the computer based processing of the IAONA Security Data Sheet. The third annex will provide a detailed listing and description of 28 Ethernet based communication protocols used within factory communication systems including a security relevant survey of each protocol. The full version of this IAONA Handbook is currently only available for IAONA s members! Please contact IAONA s office for more information! Version 1.3 The IAONA Handbook Network Security 6

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN

Using Innominate mguard over BGAN Version 2 6 June 2008 inmarsat.com/bgan Whilst the information has been prepared by Inmarsat in good faith, and all reasonable efforts have been made to ensure its accuracy,

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context

Gigabit Content Security Router As becomes essential for business, the crucial solution to prevent your connection from failure is to have more than one connection. PLANET is the Gigabit Content Security

Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How

Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if

Network Configuration Settings Many small businesses already have an existing firewall device for their local network when they purchase Microsoft Windows Small Business Server 2003. Often, these devices

Using a VPN with CentraLine AX Systems User Guide TABLE OF CONTENTS Introduction 2 What Is a VPN? 2 Why Use a VPN? 2 How Can I Set Up a VPN? 2 Important 2 Network Diagrams 2 Network Set-Up with a VPN 2

E-commerce Production Firewalls A Proper Security Design 2006 Philip J. Balsley. This document and all information contained herein is the sole and exclusive property of Philip J. Balsley. All rights reserved.

Networking Systems Design and Development Lee Chao CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an Informa business AN AUERBACH BOOK

The best network information COPA-DATA know-how: SNMP with zenon The best network information COPA-DATA know-how: SNMP with zenon A control system for Energy Automation always has many different IT devices.

Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers Secure Remote Access at the Heart of the Small Business Network Highlights Dual WAN connections for load balancing and connection redundancy

Page 1 of 10 Contestant Number: Time: Rank: COMPUTER NETWORK TECHNOLOGY (300) REGIONAL 2014 TOTAL POINTS (500) Failure to adhere to any of the following rules will result in disqualification: 1. Contestant

User s Manual Second Edition, January 2011 www.moxa.com/product 2011 Moxa Inc. All rights reserved. Reproduction without permission is prohibited. User s Manual The software described in this manual is

Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions

The following article was published in ASHRAE Journal, November 2003. Copyright 2003 American Society of Heating, Refrigerating and Air-Conditioning Engineers, Inc. It is presented for educational purposes